Your Inherent Risks
The risk assessment for your firm needs to define and be
able to provide others an understanding of your business; the
risks associated with the transactions you conduct and the type
of clientele that you serve.
Based on your knowledge and experience, consider the risk
characteristics of each of these for money laundering and terrorist
financing should your organization do nothing to deter, prevent
or detect that activity. You may decide that some characteristics
present a lower risk for money laundering and terrorist financing
than others. Consider and document these various characteristics
as well as your assessment of the level of risk posed by each of
them – from lower to higher risk.
Mitigating Your Risks
Organizations have limited resources to allocate to
compliance. Accordingly, you need to be strategic and allocate
your resources efficiently and effectively. For each of the higher
risk characteristics, document what you are doing to mitigate
the risks – whether you have implemented a control or prohibit a
transaction. Questions you can consider are:
1. Do the policies make it clear that we are aware of our
higher risk characteristics and what we are choosing to do
2. Have staff been given training about the organization’s
policies and the related higher risk characteristics of our
3. What is the process to identify clients or transactions that
reflect the higher risk characteristics? How do we identify and
address risks for clients that reside in non-FATF jurisdictions
or that have funds sourced from high-corruption countries?
4. Have we implemented a process to monitor for and examine
clients and transactions with higher risk characteristics in
5. Do our staff know the red flags to look for?
6. Do we have enhanced due diligence procedures in place for
our higher risk clients and what are those procedures? Do we
document source of funds and the purpose and nature of the
7. What other regulatory-required procedures are we doing that
mitigate our identified risks? Are we unnecessarily expending
too many resources focused on a low risk area?
Your risk assessment should answer whether your
organization sufficiently addresses the money laundering and
terrorist financing risks to a tolerable level for your organization.
Areas where there are insufficient or non-existent controls should
be reviewed and addressed with new control procedures.
Ongoing Risk Assessment
Your risk assessment is always a work in progress; as your
organization grows and evolves, risks change and your assessment
of those risks develops. A good rule of thumb is to revisit your risk
assessment at least every two years and perhaps annually. When
your organization experiences significant changes, such as new
service offerings, your risk assessment should be revisited and
updated more frequently.
The risk assessment is a key component of your organization’s
compliance regime. A well-documented risk assessment which is
actively practiced will help to protect you and your organization. 1